Slashdot Mirror
Three Indicted In Huge Identity/Data Breach
ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.
Like an internet hate machine.
THL phish sticks
These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.
Insurance companies will see this sort of business as a radioactive risk. They'll let existing contracts expire and quietly back out --UNLESS these companies get serious about their data security.
There is a huge opportunity for someone to make some real coin doing this sort of thing, but it will take a mindset that these people have been loath to accept: People really are out to get them.
Nearly fifty percent of all graduates come from the bottom half of the class!
but by the looks of one of the linked articles, any standardized internal controls audit should have seriously mitigated the risks of these types of attacks being possible. These guys are dealing with credit cards, right? Where was PCI compliance?
Why is it legal to be hispanic?
In Maricopa County, Arizona, it is.
If you want news from today, you have to come back tomorrow.
Don't lose faith. The banks never lose. Both the Democrats and the Republicans see to that!
The losses always get pushed away from the stockholder and onto the consumer! That's what capitalism is! Capital dominates government!
Having been active on the Internet since the 90's and a /. reader since the late 90's I'm pretty much up to speed on the degree of identity theft that has taken place. But where's the money? Where's the proceeds of all the identity and credit card theft? If you added up all the stolen identities and credit card thefts you'd think a big chunk would have been bitten out of the economy. There doesn't seem to be any significant bleeding. Does it all add up to not much more than a drop in the bucket. On a personal note I think I'd be better serve being able to establish my personal information has been stolen multiple times. Maybe a new type of fraud will be 'stealing' your own credit cards and going on an online spending spree.
ideopath @ play
... Pay Cash Instead!
SIGLOST && SIGUNUSED && SIGQUIT
These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.
Yes, but there is still an underlying problem: The credit card payment system is inherently insecure. I'm not talking about the computers, I'm talking about the system at large. Credit card numbers are basically a password that you share with anybody who you buy stuff from. Any of these vendors by definition have all the information necessary to use your credit card.
What you can't do with the current system:
1) You can't "lend" your card to a subcontractor so that they can buy supplies, without opening yourself up to a world of hurt.
2) You can't trust that your identity isn't stolen at every possible transaction.
3) In the case of a leak, you can't be automatically alerted to attempts to use your credit card.
It could be some otherwise bored l337 h@x0r in Montana at his mom's house who cracks an online shopping cart, or the Russian Mafia, or the pimply guy who pumped your gas. All of them get the ability to "be you" simply by transacting as you, and so long as this fundamental insecurity remains unchanged, credit cards are and will continue to be problematic.
Me? I'm imagining something with my cell phone, a PIN like an ATM card, but one that's different for each transaction. In this manner:
1) I swipe my card.
2) The credit card gives me a challenge code, asks me for my PIN.
3) I get a text message on my cell, which has the challenge code on one line, and a one-time-PIN on the next line, and a third line with the amount charged.
4) I enter the one-time PIN, proving that I have the registered phone in my hand.
5) Then, I enter in my permanent PIN, just like I do now.
This protects me:
1) Anybody at the cell phone company can see the challenge and the response PIN, but it doesn't do them any good since these change with every card swipe.
2) Anybody at the store can see the whole transaction, but it doesn't matter since they don't have my phone.
3) Even the credit card processing center can't fudge the transaction because the amount of the charge was submitted prior to generating the one-time PIN, and I've already been made aware of the charge.
4) If somebody did get your card #, and tried to use it, you would know immediately that it was happening, and the amounts involved because you'd be getting notices of the transactions sent to your phone!
This would DRAMATICALLY reduce the security footprint of the credit card transactional system, and would easily allow for causual "lend him the credit card" scenarios, since you could give the card to someone, and even let them know your permenant PIN, but keep the phone in your hand. The only person who can effectively compromise this credit card system effectively would be the credit card company itself.
The only downside that I can see is that you couldn't use this system in areas without cell service. But even in that case, you could "pre-register" a transaction or two with no amount set, keep the one-time PINs handy, and use them when you don't have service.
The current system is terribly insecure - I've had 3-4 different compromises of my credit card numbers in the last couple years despite my being VERY careful with my data. Then I talk to the fraud department, sign the affidavit, get my credit back, blah blah blah...
The current system sucks. We need a better system.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
If this puts some of these companies out of business it's a good thing. To the survivors, protect your data or else.
If it's cheaper to deal with breaches than to secure them it will continue. That's just simple cost benefit analysis.
Protecting against SQL injection is basic stuff, so I find it worrisome that that's how their system got compromised. I would like to think that most of the data they save to the db is sanitized and that the hackers just got lucky but I have a feeling that's not true.
I never thought I would do one of these, but:
1. Credit Card Industry fails to secure servers
2. Massive Identity Theft Occurs
3. Offer Credit Report and Identity Theft Services to mitigate steps 1 & 2
4. Profit!!!
-I'm just sayin'
They want their SQL injection attack back. I would imagine that the companies involved had to put forth a huge recruitment effort in order to find people competent enough to create a working site and yet clueless enough to allow SQL injection.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Why should this be modded down? It's the logical conclusion to the system. We know the credit card system is insecure, we can fill the message boards with comments going back and forth about it... but that isn't the larger problem. Discussion centering around only the credit card system is bound to revolve around band-aid approaches to fixing the system. In order to truly avoid this sort of problem again we need to understand underlying flaws.
So, logically, you wonder why people need credit cards, and then you wonder why people need credit, and then you wonder why debt accumulates, and then you wonder who debt is important to, and then you wonder who the major players are in the system of debt and, eventually you come to understand that, yes indeed, it is a system of governments and big businesses exploiting capital. Once you reach that conclusion then, really and truly, all discussion around the credit card system becomes "offtopic" and the only topical discussion related to identity theft arising from financial systems concerns the security vulnerabilities in a capitalist system dominated by government and financial behemoths.
Of course, that wouldn't generate very much discussion, because acknowledging that everyone is trapped within an inherently flawed system is just depressing, and everyone leaves their computers to go find an ice cream sundae for comfort. Americans should be happy they live in a capitalist system. Under communism only the rich and powerful could afford a decent ice cream sundae. OTOH, under communism, your identity wasn't important in the first place.
So you can have one or the other: ice cream sundaes to comfort your stolen sense of identity, or no ice cream sundaes and no identity at all to steal.
the NPG electrode was replaced with carbon blac
In short, SQL injection vulnerability in app + MSSQL . With that given, probably the rest was just consequences (wasnt a big help that default mssql installation includes a tool that can be used to download the rest of the attack) and there arent a lot of choices to secure that (reverse proxy, encrypted communications).
they get what they deserved. Sadly, few will care.
How is 130 million cards getting compromised not going to have an impact on the economy?
Next time I receive one of those annoying credit applications I think I'll put in my name as "Drop Table" and my address as "Update Transactions Set Balance=-32765" and drop it into the mail.
Before people chime in to either wish Albert a roommate who thinks he has a pretty mouth, or 'explain' why the charges are bogus, just chill. This cracker was in trouble in 2004, turned state's evidence, and walked. There are people still on the inside who really miss him. It doesn't matter what the sentence is in his case, he literally is a dead man walking. It doesn't help either, that his Russian buds, still un-arrested and likely to remain so, may be worried about what new tales he will tell. They probably aren't worried enough to bother, but when somebody else does for lil' old 'soupnazi' they'll help enlarge the suspect list to where nobody will ever prove anything.
So discuss the security needs of the big credit card companies, or this crime in particular, all you want. Just remember, you already know how this one turns out.
Who is John Cabal?
I recommend a method wherein we inscribe some sort of Mark on the right hand or the Forehead to identify people.....Meh yea. lets go that route.
Inane Comments are Generously Disregarded
Why does the credit card number need to be stored at all? I'm assuming that the merchant sends the credit card number to the credit card company (or whomever authorizes the transaction). That authority sends back an "Ok" plus a unique transaction ID for that purchase. Each purchase has a unique transaction ID. The merchant stores the transaction ID and NOT the credit card number (or any other identifying info). Any disputes or corrections are handled by referring to the transaction ID. In this scenario, the actual credit card number is only stored by the credit card company. It exists in no other database. If the vendor site gets hacked, it doesn't have any usable info.
I just recently moved to Sweden from Denmark. The changes in online payment processing wasn't that big - just introduced an extra bit of security. It's not a matter of being from Sweden or Denmark, it's a matter of how the shops are set up.
In Denmark, it's the same way as in the US:
1) Punch in your card number
2) Punch in the card's security code
3) There is no step 3
The Swedish stores I've bought from adds extra steps when I'm using the card from my bank though; it uses authentication that you need to have with you:
A smart card reader using the chip and pin for my card.
When I want to pay using that system, the steps are as follows:
1) Payment processor is my bank, not some random company, and is in a separate SSL session to my bank
2) Enter SSN on payment page
3) Enter the one-time control code in my reader
4) Enter the pin number for my card in the reader
5) Punch in the return code from the card reader on the payment page
It's the same system I use for my online banking as well; it has steps for login, signing and buying, each presumably using a separate private key.
A system like this put in to place everywhere would make gleaning my credit card number useless. I don't have any physical identification that has my SSN on it, nor am I required to have such by Swedish Law (unless I'm driving). And even with my SSN, they still need to know my pin code. Can't say for sure if the card and reader are tied to each other though - I haven't tried using someone else's reader.
Additionally when this system is used on the websites, all processing is done through the bank's own systems, meaning the bank itself is the one that needs to be compromised, and they're probably a bit more worried about a breach than the other guys. I mean - if their systems are broken into, it's not like they can just pass the blame onto some random third party and tell the customers "don't worry, we won't be doing business with them again" - they screw up and it's us telling the banks we won't do business with them again.
When I set up the cart for my employer, I naturally required buyers to put in their billing address info.
Fully 40% couldn't manage to supply their billing zip code.
Not even after they called us and we went through the guessing game over the phone.
I know we are a mobile society - but c'mon - I can remember every zip I've lived in for the last 15 years.
I finally gave up and now require only card number and expiration - that's it.
Fortunately, the vast majority of our purchases are under 50 bucks, and we've only had 3 or 4 charge backs in the last three years.
Most card theft is like gambling - a tax on the stupid.
People really must start paying more attention to user inputs';drop table users;--
Holy flerking schnit man, you are some kind of Internet mutant. I love it! You know, I met Rob at a LinuxWorld one year, they were passing the mic around and giving out Slashdot shirts to anyone who asked a question. When I saw him, he looked kind of like the kind of guy who would enjoy participating in a furious, multi-cock, world record busting gang bang. I don't know, that's just me. Make sure to step out of the basement for just a moment and smell the air, it's nice, I promise.
Smokedot.org
Note that these 'systems' were attacked through MSSQL holes.
Yes, don't lose faith! Lose Microsoft!
You are being MICROattacked, from various angles, in a SOFT manner.
These guys who have (attempted) fraud on a massive scale causing losses to (incompetent) corporations and hassles for many people who's details (and identities) were stolen are only likely to get 20 years according to the Guardian http://www.guardian.co.uk/world/2009/aug/18/american-credit-card-hacker
Whereas Gary MacKinnon, who poked around in some unprotected computers, purely out of curiosity and not for financial gain, and only causing hassle to the incompetents who had not secured their network, is threatened with 60 years imprisonment!
Crazy.
... lock down the server to prevent unneeded network services and software installation (don't allow outbound curl, for example).
Excuse me? - The ability to fetch patches is essential to keeping a server secure. Allowing it to fetch patches from an intermediary server only doesn't make anything more secure as that server is easily compromised if the attacker already have root on the production server. It will only serve as a delay and an annoyance to the attacker, nothing more.
No, the only way to go is to prevent the server from being owned in the first place. Sane code- and SQL-design plus a stripped down server should do the trick. Don't use java and other unnecessary complex languages with too many features. Use PHP or similar which doesn't launch tons of junk processes for each thread, each with thousands of possible buffer overflows (java leaks memory in case of even the smallest error). Feel free to use whatever for the customer service interface but hand off handling the credit card info to a minimal ultra-secure server that basically does nothing except to get the info and return the result. No bells and whistles, no unnecessary features.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
The best system is a swiss cheese if the patches are not applied...
Seriously. I've seen far more serious security holes due to negligence on the side of the administrators and beancounters than on the side of the supplyer of hard- and software. For many companies, security is still seen as a product. It's something you buy, some box you put in front of your machines, and you consider yourself safe and secure, never to touch it again.
That's not how it works. Security is a process. Security is something you have to establish and audit. Preferably constantly, but that's not economically feasible for most companies. But you have to audit your security system against current, modern threats, you have to audit it against everything that has happened and is a known exploit or a known procedure employed by criminals. Today, tomorrow, for the rest of your company's existance. It's nothing you do today and then you're done with it.
Security is an evolving process. A race between attacker and defender. You can't "win" and then be over with it.
And as soon as companies realize that, we'll see some progress in this field. Not a second earlier.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Unless your name is Johnny Tables, how do you execute a SQL injection on a credit card processing system?
Maybe the blame should be placed on the system that gave the attacker visibility into the transaction processing database, rather than a sandboxed (rather, firewalled) access to the data needed to complete his specific transaction.
-- I was raised on the command line, bitch
Heartland wasn't compromised by SQL injection, but it was their then head DBA's laptop that got compromised by some malware that gave the remote attacker control of his laptop. From there, they were able to use it to download Heartland's DBs of CCs. It wasn't till months after the laptop was compromised and the DBs downloaded that the breach was discovered. Heartland conveniently waited until Obama's Inauguration to do a Press Release so the major news outlets wouldn't pick it up: http://www.2008breach.com/Information20090120.asp http://it.slashdot.org/article.pl?sid=09/01/20/1930252&tid=76
This is more insider knowledge and I admit I can't back it up without making enough information available that would get me fired. Take it or leave it, those are the facts. I'm already taking a risk because my boss frequents slashdot.
SQL injection? I went to a local 2 year college and I know how to prevent those. Any idiot knows how to prevent those! Filter some damn command words and characters! Parameterize all queries! This is what happens when stupid people hire programmers with 4 year and masters degrees who look good on paper but actually have no idea what they're doing. I hate it when people like that who companies think are sooooo great get a job over me just because of their 4 year degree and going to some fancy private college but I love it when things like this happen and they crash a burn. They damn well better have gotten fired and replaced by someone who's not a moron.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
See subject above, & ion.SIMIAN.c : Looks like your "VISION QUEST" failed, badly, in your trying to take on your betters. Mod down all you like, but, that doesn't make the points in the other replies that show your general weakness in the art & science of computing just "go away", now, does it? Nope.